[author: Matt Kelly, Radical Compliance]
On May 12, an executive order was signed ordering the federal government to review its approach to cybersecurity. Professionals in risk management and business compliance should consider this order carefully, as, in the fullness of time, their directives will also impact the private sector.
The order came as Colonial Pipeline was recovering from a ransomware attack that disrupted the supply of gasoline to Southeastern Americans. However, when you look at the details, it is clear that the executive order is much more a response to the SolarWinds attack that happened last year.
The SolarWinds incident was allegedly the result of the work of Russia’s Foreign Intelligence Service (SVR) hacker group that accessed the networks, systems and data of thousands of SolarWinds customers. As a result, the hacking compromised the data, networks, and systems of thousands of people when SolarWinds inadvertently delivered backdoor malware as an update to Orion software. The nationwide attackers planted malware on a piece of software that SolarWinds sent to customers in the spring of 2020. When customers installed the piece of software, they also installed malware and Russia went have access to all kinds of confidential corporate and government data.
We now know that some of Corporate America’s top names were victims of the SolarWinds attack, along with at least 11 U.S. federal government departments.
The Colonial Pipeline attack (and many other ransomware attacks, which have been emerging as weeds over the last year or so) added a new urgency to the current administration’s order, which has long since time.
What does the Executive Order do?
The 34-page executive order has three main points:
- Better exchange of information on threats between government contractors and federal agencies, including the notion of mandatory cybersecurity reporting.
- Stronger cybersecurity practices in the federal government, including a much greater use of multifactor authentication and the so-called “zero trust architecture” for network design.
- Stronger monitoring of the software supply chain, including steps such as tighter controls on how engineers design software code and more documentation on the origin of any third-party software code that a company incorporates into its products.
To be clear, these points will not take effect tomorrow. The executive order orders several federal agencies to develop new specific regulations that will implement the order in the coming months.
For example, the National Institute of Standards and Technology (NIST) is tasked with developing new standards for multifactor authentication and the zero-trust architecture. The Office of Management and Budget will propose a new language for the federal procurement standard (for government contractors) and the supplement to the federal procurement standard for defense (specifically for defense contractors) to include the points mentioned above.
But we can say with certainty that by the end of this year, companies working as government contractors, and the suppliers of these contractors, you will have a much better understanding of the new, more intense cybersecurity requirements they will have to meet.
What should compliance officers anticipate now
Even without these details available today, compliance agents can (and should) begin to anticipate the changes the company will have to make.
First, we hope to conduct a new assessment of compliance risks under these new cybersecurity requirements. For example, if your business needs to collect data on cybersecurity attacks and provide that information to federal agencies, you may want to consider new privacy risks; a risk that the executive order specifically mentions.
Second, consider new policies and procedures your business may need to be implemented and how this would be achieved. For example, the cybersecurity order will change what your business reports to the government, how employees develop software, the certifications they will need to provide you with third parties, and more.
Questions to consider:
Who will draft these policies? Most likely compliance, legal and computer security teams; perhaps with the help of other technology agents.
Who will design internal procedures and controls to, for example, introduce multifactor authentication? The IT team, possibly with the help of internal audit.
How to make sure your contracts with your technology providers include the language needed to comply with new cybersecurity standards? Review your third-party and vendor policies to meet these new cybersecurity requirements.
Third, it will be necessary rely on technology to keep pace with these changes. Don’t forget, defense contractors are already facing compliance with a new cybersecurity standard, CMMC. Most companies also have other security and privacy obligations, such as HIPAA for health data or PCI DSS for credit card information.
Your business may be able to use control to meet several of these cybersecurity obligations, if you can keep all this remediation work on track. Therefore, it will be crucial to use a robust GRC tool that can manage both data mapping to see where your important data resides and map control to see which controls meet which compliance frameworks. Spreadsheets will not be able to handle the complexity of the work to come.
In short, the current administration is willing to impose more structure and oversight of cybersecurity across the federal government. This kind of thing has a habit of leaking through a wide strip of Corporate America.
Regardless of how your company responds to these new cybersecurity demands, risk and compliance agents can play a key role here. Cybersecurity today is the same how your organization interacts with other parties, as these are firewalls or penetration tests. It will seek to develop sound business processes, skillful risk assessment and reflective policies and procedures.
The question is how to bring this experience to cybersecurity, one of the most urgent priorities for today’s companies.
Four ways to address cybersecurity risks
See the original article in Risks and Compliance